DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy telling recipients what to do with messages failing SPF/DKIM. Published as a _dmarc.example.com TXT record. Minimum: v=DMARC1; p=none; rua=mailto:dmarc@example.com. Standard rollout: p=none → 2 weeks of monitoring → quarantine → reject.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — SPF/DKIM/DMARC checker: instant results, no signup.
dmarc@example.com (or use a service like dmarcian.com)_dmarc, value v=DMARC1; p=none; rua=mailto:dmarc@example.comp=quarantine; pct=25 (25% of unauthenticated mail → spam)p=quarantine; pct=100, another week later: p=reject; pct=100| Scenario | Config / Record |
|---|---|
| Starter (monitoring) | v=DMARC1; p=none; rua=mailto:dmarc@example.com; fo=1 |
| Quarantine 25% | v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com |
| Final (reject) | v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; adkim=s; aspf=s |
| Subdomain policy | v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com |
| Parked domain (sends no mail) | v=DMARC1; p=reject; sp=reject; aspf=s; adkim=s |
adkim=s (strict) requires exact d= match in DKIM. Relaxed (r) allows subdomainTo set up a DMARC record, create a DNS TXT record for your domain with the name _dmarc.yourdomain.com and include the policy, reporting addresses, and optional parameters. For example: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; fo=1. This configuration enables DMARC reporting while allowing emails to pass through without enforcement.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a crucial email authentication protocol that helps prevent email spoofing and phishing attacks. DMARC builds on two existing protocols: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). By implementing DMARC, domain owners can specify how receiving mail servers should handle unauthenticated emails. In 2026, with increasing cyber threats, setting up a DMARC record is more vital than ever.
The primary components of a DMARC record include:
none: No specific action is taken, but reports are generated.quarantine: Messages that fail DMARC checks are treated as suspicious and may be sent to spam.reject: Messages failing DMARC checks are outright rejected.rua=mailto:dmarc-reports@yourdomain.com specifies where to send summary reports.fo, which controls failure reporting.By establishing a DMARC record, organizations can protect their domain's reputation and enhance email deliverability. It also aids in understanding the sources of email traffic and potential abuse.
Setting up a DMARC record involves several steps. Here’s a detailed approach to ensure a successful configuration:
_dmarc.yourdomain.com. Replace yourdomain.com with your actual domain.v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; fo=1Example of a DMARC Record:
| Field | Value |
|---|---|
| Record Type | TXT |
| Name | _dmarc.yourdomain.com |
| Value | v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; fo=1 |
After implementing the DMARC record, monitor the reports sent to the specified addresses. These reports will provide insights into email authentication results and help you adjust your policy as needed.
DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.
Specify domain and DKIM selector — get the public key and its parameters.
RSA/Ed25519 key length, hash algorithm, flags, and validity period.
If key < 2048 bits — we issue a warning and key rotation instructions.
Direct DNS query in seconds — no waiting for TTL.
pre-send verification
mail server setup
phishing protection audit
email deliverability debug
DKIM check history and DNS monitoring for domain record changes.
Sign up free<code>rua</code> — aggregate reports (daily stats from Gmail/Yandex). <code>ruf</code> — forensic reports (individual failed messages, optional). rua is enough for 99% of cases.
Yes. Even a parked domain (no mail) should have DMARC, otherwise an attacker can spoof your name in phishing.
It is XML. Services like dmarcian.com, dmarcanalyzer.com, postmaster.google.com parse and visualise it — free tiers are usually enough.
Minimum 2 weeks of p=none monitoring. Optimal: 4 weeks p=none → 2 weeks p=quarantine pct=25 → 2 weeks pct=100 → p=reject. About 2 months total.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.